Product Asterisk
Summary Denial of Service Through File Descriptor Exhaustion
with chan_sip Session-Timers
Nature of Advisory Denial of Service
Susceptibility Remote Authenticated or Anonymous Sessions
Severity Moderate
Exploits Known No
Reported On 2014/02/25
Reported By Corey Farrell
Posted On March 10, 2014
Last Updated On March 10, 2014
Advisory Contact Kinsey Moore <kmoore AT digium DOT com>
CVE Name CVE-2014-2287

Description An attacker can use all available file descriptors using
SIP INVITE requests.

Knowledge required to achieve the attack:

* Valid account credentials or anonymous dial in

* A valid extension that can be dialed from the SIP account

Trigger conditions:

* chan_sip configured with "session-timers" set to
"originate" or "accept"

** The INVITE request must contain either a Session-Expires
or a Min-SE header with malformed values or values
disallowed by the system's configuration.

* chan_sip configured with "session-timers" set to "refuse"

** The INVITE request must offer "timer" in the "Supported"
header

Asterisk will respond with code 400, 420, or 422 for
INVITEs meeting this criteria. Each INVITE meeting these
conditions will leak a channel and several file
descriptors. The file descriptors cannot be released
without restarting Asterisk which may allow intrusion
detection systems to be bypassed by sending the requests
slowly.

Resolution Upgrade to a version with the patch integrated or apply the
appropriate patch.

Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All
Asterisk Open Source 11.x All
Asterisk Open Source 12.x All
Certified Asterisk 1.8.15 All
Certified Asterisk 11.6 All

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-002.pdf and
http://downloads.digium.com/pub/security/AST-2014-002.html